1. Technical Field
The following disclosure pertains in general to computer security and particularly to identifying suspicious usage of legitimate objects.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modern malware is often designed to provide financial gain to the attacker. For example, malware can stealthily capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
Signatures can be used to detect some types of malware. Malware signatures describe characteristics of known malware, such as data strings found in the malware or known malicious behaviors, and are used to determine whether an object on a computer contains malware. Typically, a set of malware signatures is generated by a provider of security software and is deployed to security software on a user's computer. This set of malware signatures is then used by the security software to detect malware on the user's computer.
However, the security software can fail to detect certain types of malware. For example, attackers are now carrying out attacks using objects trusted as legitimate (i.e., non-malicious) by the security software. The malware signatures do not detect that the trusted objects are being used for malicious purposes. Therefore, the security software does not detect the attack.